In a scan, an attacker scans target destinations (such as ports) in order to identify target destinations that may be exploited, for example, may be used to gain unauthorized access. The attacker scans target destinations by sending a message to each target destination. The response from a target destination may indicate whether the target destination can be exploited.
The scanning may occur at any suitable rate. Faster scanning may be easier to detect as the scan traffic may dominate the traffic. In addition, little or no information about the traffic may need to be stored between scan messages. Slower scanning may be more difficult to detect as the scan traffic may hide in the legitimate traffic. In addition, with slower scanning, more traffic information may need to be stored between scan messages.